Virus and Spyware Removal Guides, uninstall instructions

What is Xdqd ransomware?

Ransomware is a type of malware that encrypts files on the infected computer so that victims could not access their files without having to decrypt them with a specific decryption tool that can be purchased from the attackers. As a rule, ransomware generates a ransom note containing instructions on how to contact and pay cybercriminals.

Xdqd ransomware belongs to the ransomware family called Makop. It encrypts and renames files - it appends the victim's ID, xdatarecovery@msgsafe.io email address, and the ".xdqd" extension to their filenames.

For instance, it renames a file named "1.jpg" to "1.jpg.[9B83AE23].[xdatarecovery@msgsafe.io].xdqd", "2.jpg" to "2.jpg.[9B83AE23].[xdatarecovery@msgsafe.io].xdqd", and so on. Xdqd also creates the "readme-warning.txt" file (its ransom note) in folders containing encrypted files.

What is ustrack[.]online?

Ustrack[.]online is a deceptive website designed to trick visitors into downloading and installing some potentially unwanted application (PUA) or multiple apps. Like most websites of this type, it displays a fake virus notification claiming that a device (iPhone) has been infected and encourages to remove detected viruses as soon as possible.

In most cases, websites like ustrack[.]online are promoted through untrustworthy websites, advertisements or potentially unwanted applications - users do not visit pages like ustrack[.]online intentionally.

What is ElemntState?

ElemntState is a rogue application classified as adware. This app also has browser hijacker qualities. Following successful installation, it delivers intrusive advertisement campaigns and causes redirects to fake search engines (through modifications to browser settings).

ElemntState likely has data tracking abilities, as that is typical of adware and browser hijackers. Since most users download/install this piece of software inadvertently, it is categorized as a PUA (Potentially Unwanted Applications).

One of the deceptive techniques used to distribute ElemntState is proliferation via fake Adobe Flash Player updates. It is noteworthy that fraudulent updaters/installers are used to spread not just PUAs but malware (e.g., trojans, ransomware, etc.) as well.

What is Ducky?

Information stealers like Ducky are malicious programs that are designed to gather sensitive information from a system. In most cases, info stealers target data such as login credentials (like usernames, email addresses, passwords), credit car details (like card holder name, expiry date, CVV code), and other information from web browsers, instant messengers, email, VPN and other clients.

It is common that cybercriminals design information stealers to look like legitimate programs.

What is the H$ ransomware?

H$ is the name of a malicious program classified as ransomware. It is designed to encrypt data and demand payment for the decryption. In other words, files stored on infected systems are rendered inaccessible, and victims are asked to pay - to recover access to their data.

During the encryption process, affected files are appended with the ".h$" extension. For example, a file initially titled something like "1.jpg" would appear as "1.jpg.h$", "2.jpg" as "2.jpg.h$", etc. After this process is complete, ransom notes are dropped onto the desktop.

H$ ransomware creates one hundred identical messages named "Pay2Decrypt1.txt", "Pay2Decrypt2.txt", and so on up to "Pay2Decrypt100.txt".

What kind of application is BrowserActivity?

BrowserActivity's installer has an appearance of the installer for the Adobe Flash Player - this application is distributed using a fake installer. Typically, fake installers install unwanted software. In this case, an unwanted application that generates advertisements, changes the affected web browser's settings, and collects data.

Apps that function like BrowserActivity are called adware and browser hijackers. It is worth mentioning that it is unlikely for apps like BrowserActivity to be downloaded and installed on purpose.

That is why they are called potentially unwanted applications.

What is oossautsid[.]com?

Sharing many similarities with acancyfopl.biz, topfreearticles.xyz, suadeh.club, and thousands of others, oossautsid[.]com is a rogue website. This page is designed to present visitors with dubious content and/or redirect them to untrustworthy and malicious sites.

Users rarely access such websites intentionally; most get redirected to them by intrusive ads or installed PUAs (Potentially Unwanted Applications). This software can infiltrate systems without user permission.

PUAs can have heinous functionalities, including - causing redirects, running intrusive advert campaigns, and collecting browsing-related information.

What is acancyfopl[.]biz?

It is strongly advisable not to visit the acancyfopl[.]biz website or trust websites opened through it. This page is designed to check visitor's geolocation and then load deceptive content or open questionable websites (about two or three of them).

Typically, websites like acancyfopl[.]biz are promoted via deceptive advertisements, untrustworthy sites, or potentially unwanted applications (PUAs).

In other words, users do not visit pages like acancyfopl[.]biz intentionally. It is worth mentioning that PUAs can be designed to collect various data and generate advertisements. Typically, users download and install them unknowingly.

What is the EpsilonRed ransomware?

EpsilonRed is a piece of malicious software categorized as ransomware. This malware is programmed in the Go programming language. It operates by encrypting data (rendering files inaccessible) - to make ransom demands for the decryption (access recovery).

During the encryption process, files are appended with the ".EpsilonRed" extension. For example, a file initially titled something like "1.jpg" would appear as "1.jpg.EpsilonRed", "2.jpg" as "2.jpg.EpsilonRed", "3.jpg" as "3.jpg.EpsilonRed", etc.

Following the completion of this process, ransom notes - "HOW_TO_RECOVER.EpsilonRed.txt" - are dropped into affected folders. It is noteworthy that the manner in which EpsilonRed ransomware has been observed infecting systems is quite sophisticated.

EpsilonRed is the final payload of the infection process, which includes the deletion of Volume Shadow Copies and Windows Event Logs, modification of the Windows Firewall, program removal or process termination (i.e., anti-virus software, backup and database services, office applications, email clients, etc.), and many other malicious actions. The EpsilonRed ransomware has been used to attack US businesses dealing in the hospitality sphere.

These attacks were likely enabled by a vulnerable enterprise Microsoft Exchange server.

What is Kelly?

Ransomware is a type of malware that denies access to files by encrypting them and creates or displays a ransom demanding message. Cybercriminals monetize ransomware by selling their victims decryption tools.

Kelly encrypts files and modifies their filenames by appending the ".locky" extension to them. For example, it changes the filename of a file named "1.jpg" to "1.jpg.locky", "2.jpg" to "2.jpg.locky", and so on.

Kelly displays a pop-up window as its ransom note. Its ransom note is written in Chinese language.